Add Restricted Mode handling to NetworkPolicyManager

Adds Restricted Mode functionality to NetworkPolicyManager. When this
mode is turned on (via setting), only apps with
android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS will be able to
use the network. For all other apps, the network will be blocked by the
firewall. This is controlled by a new allowlist firewall chain
fw_restricted_mode.

As a first step, this implementation still requires a reboot after the
enabling / disabling the mode to take effect. I will provide the dynamic
configuration in the next CL.

Test: atest CtsHostsideNetworkTests && atest
NetworkPolicyManagerServiceTest
Bug: 170322816
Bug: 157505406
Bug: 170322455
Bug: 175281879

Exempt-From-Owner-Approval: Change already merged on internal gerrit.
Change-Id: I0731fa842c69683953baaf9ec3a9a03454f4c607
Merged-In: I0731fa842c69683953baaf9ec3a9a03454f4c607